dingyi
Update dependency next to v14.1.1 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| next (source) | 14.1.0 -> 14.1.1 |
GitHub Vulnerability Alerts
CVE-2024-34351
Impact
A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.
Prerequisites
- Next.js (
<14.1.1) is running in a self-hosted* manner. - The Next.js application makes use of Server Actions.
- The Server Action performs a redirect to a relative path which starts with a
/.
* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.
Patches
This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.
Workarounds
There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.
Credit
Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:
Adam Kues - Assetnote Shubham Shah - Assetnote
Release Notes
vercel/next.js (next)
v14.1.1
Note: this is a backport release for critical bug fixes -- this does not include all pending features/changes on canary
Core Changes
- Should not warn metadataBase missing if only absolute urls are present: https://github.com/vercel/next.js/pull/61898
- Fix trailing slash for canonical url: https://github.com/vercel/next.js/pull/62109
- Fix metadata json manifest convention: https://github.com/vercel/next.js/pull/62615
- Improve the Server Actions SWC transform: https://github.com/vercel/next.js/pull/61001
- Fix Server Reference being double registered: https://github.com/vercel/next.js/pull/61244
- Improve the Server Actions SWC transform (part 2): https://github.com/vercel/next.js/pull/62052
- Fix module-level Server Action creation with closure-closed values: https://github.com/vercel/next.js/pull/62437
- Fix draft mode invariant: https://github.com/vercel/next.js/pull/62121
- fix: babel usage with next/image: https://github.com/vercel/next.js/pull/61835
- Fix next/server api alias for ESM pkg: https://github.com/vercel/next.js/pull/61721
- Replace image optimizer IPC call with request handler: https://github.com/vercel/next.js/pull/61471
- chore: refactor image optimization to separate external/internal urls: https://github.com/vercel/next.js/pull/61172
- fix(image): warn when animated image is missing unoptimized prop: https://github.com/vercel/next.js/pull/61045
- fix(build-output): show stack during CSR bailout warning: https://github.com/vercel/next.js/pull/62594
- Fix extra swc optimizer applied to node_modules in browser layer: https://github.com/vercel/next.js/pull/62051
- fix(next-swc): Detect exports.foo from cjs_finder: https://github.com/vercel/next.js/pull/61795
- Fix attempted import error for react: https://github.com/vercel/next.js/pull/61791
- Add stack trace to client rendering bailout error: https://github.com/vercel/next.js/pull/61200
- fix router crash on revalidate + popstate: https://github.com/vercel/next.js/pull/62383
- fix loading issue when navigating to page with async metadata: https://github.com/vercel/next.js/pull/61687
- revert changes to process default routes at build: https://github.com/vercel/next.js/pull/61241
- fix parallel route top-level catch-all normalization logic to support nested explicit (non-catchall) slot routes: https://github.com/vercel/next.js/pull/60776
- Improve redirection handling: https://github.com/vercel/next.js/pull/62561
- Simplify node/edge server chunking some: https://github.com/vercel/next.js/pull/62424
Credits
Huge thanks to @huozhi, @shuding, @Ethan-Arrowood, @styfle, @ijjk, @ztanner, @balazsorban44, @kdy1, and @williamli for helping!
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| ding-one | ❌ Failed (Inspect) | May 10, 2024 7:37am |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
Link Height tasks by mentioning a task ID in the pull request title or commit messages, or description and comments with the keyword
link(e.g. "Link T-123").💡Tip: You can also use "Close T-X" to automatically close a task when the pull request is merged.
![height[bot] avatar](https://avatars.githubusercontent.com/in/9620?v=4 "Published by a pub.dev verified publisher"){kind=small}
![codesandbox[bot] avatar](https://avatars.githubusercontent.com/in/206332?v=4 "Published by a pub.dev verified publisher"){kind=small}
PR Summary
-
Update of
nextVersion Thenextversion has been updated from14.1.0to14.1.1in both thepackage.jsonandpnpm-lock.yamlfile. This means that our application will now use the updated version of thenextsoftware, potentially providing enhanced performance and new features. -
Upgrade of
@next/fontVersion The version of@next/fontinpnpm-lock.yamlhas been updated from14.1.0to14.1.1. This enhancement could bring improvements to the way the application manages fonts. -
Change in
@plaiceholder/nextVersion In thepnpm-lock.yamlfile, the version of@plaiceholder/nextremained constant at3.0.0. This shows no new changes or updates were made to this particular package. -
Updates to Other Packages Using
nextDifferent packages that were using the oldnextversion (14.1.0) have been modified to use the newnextversion (14.1.1). This implies that those packages can now make use of any improvements or added features present in the updated version ofnext. -
Steadiness of Other Package Versions The versions of other packages, excluding those above, are kept constant. This indicates that these haven't been touched in this particular update and continue to function as they did.
![what-the-diff[bot] avatar](https://avatars.githubusercontent.com/in/242248?v=4 "Published by a pub.dev verified publisher"){kind=small}